The results presented in chapters 4, 5 and 6 show there has been little progress in identifying and removing ill-fitting security policies and mechanisms from organisational security implementations:
organisations still do not track the effort that individuals have to expend on security and many elements of existing security implementations create significant friction between security and employee primary tasks. Consequently, there exists no evaluation of policies and mechanisms in terms of fitness-for-purpose in the real working environment. As section 7.1 discussed, burdensome or disruptive security implementations promote shadow security as the only workable security, even for risk-aware employees.
Security experts need to acknowledge that effective security can only be achieved if it fits and supports productive activity. As a result, fitting security to the primary task should be in the centre of any security intervention, whether that aims to improve existing security elements or design new ones. This section discusses the need to better align security with organisational production tasks, focusing on (1) the importance of usability, (2) careful planning of interventions to ensure primary task compatibility, (3) the need for effective security communication and training, and (4) the need to align employee security efforts with organisational risk appetite.
7.2.1 The importance of security hygiene
Usability of security implementations is still a major hurdle to employees trying to behave securely: the findings presented in this thesis show that current security approaches do not manage to effectively reduce friction between security and productivity. Organisational security management appears to ignore user-centred security research findings that high friction security leads to errors and workarounds that create vulnerabilities (e.g. Sasse et al., 2001). Organisations still seek to mitigate information security risks by implementing policies and technical mechanisms that specify and restrict employee behaviour, often also threatening sanctions in case of non-compliance. This “comply-or-die” approach increases the cost for security mechanism operation, but also creates constraints for honest employees seeking to perform well in their primary tasks. Security mechanisms and processes not designed around employee needs and priorities slow them down, sometimes even completely preventing primary task completion.
They also increase the cognitive load required for employees to participate in organisational protection, eventually causing frustration and disgruntlement. As a result, employees choose to ignore security that requires high effort for little benefit (Beautement et al., 2008), or use readily available resources (e.g.
inter-employee trust or line manager support) to resolve the emerging conflict, which encourages the evolution of shadow security in the organisation. This leaves security managers unable to manage the emerging organisational security environment, reducing their ability to effectively manage organisational risks. The resulting high levels of security behaviours deviating from security policies, also increase the noise in organisational attempts to detect signs of malicious attacks (von Solms, 2006). All the above call for a significant rethink of the way information security is implemented and managed, demonstrating the need for information security management approaches that put employee understanding and priorities at the centre of their risk mitigation strategy and actions.
The first step for any user-centred security management approach is to realise that with high productivity impact security will never deliver effective protection. Many security experts still talk (and think) that usability and security create a trade-off: that usability is nice, but security is more important, so asking
users to make extra effort is acceptable. Usability is considered as an afterthought and a luxury security management can only afford to consider once security is assured. But the findings presented in this thesis demonstrated that usability problems can lead to security mechanisms being perceived as incompatible with employee primary tasks. Looking back at the definition of usability (“the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use”, ISO 9241), any mechanism not designed to fit employees’ primary tasks will end up not being used, leading to further security violations and shadow security development.
Security design should treat usability as a hygiene factor for security (Kirlappos and Sasse, 2014):
solutions that are not usable disrupt and divert effort from employee primary tasks, thus will inevitably be circumvented. Risk-aware employees, who understand their role in protecting the organisation will then resort to shadow security practices at best. At worst they will become disgruntled and see security as an obstacle that they need to get around, resorting to high-risk behaviours, increasing potential organisational risk exposure. The emerging employee disgruntlement can create serious risks for an organisation: it hinders the development of social capital and shared values (Moore et al., 2011), resulting in minimal incentive for secure behaviour, while increasing the probability of insider attacks (Vroom and von Solms, 2004). It also impacts the ability of an organisation to retain its valuable human capital; dissatisfaction can lead to employees eventually leaving the organisation (Fléchais et al., 2005). Consequently, delivering security hygiene should be a key requirement for any security management approach; security rules should not need to be broken to maintain productivity.
Security mechanisms need to be designed around employee primary tasks to reduce the need for productivity-driven trust violations, but also reflecting the trustworthiness an organisation should show towards its employees. To eliminate the need for password sharing for example, an organisation should create mechanisms that provide quick account creation for employees that need access to new systems (e.g. through easy to use one time tokens). This can be achieved by using human factors expertise and usability design methodologies in security system design process. The resulting user-centred security design will allow designers to move away from the current “deploy, if too much noise, remove” approach that makes security implementations expensive to implement, difficult to use, ineffective and unsustainable in the long term. Examples in the interviews have shown that parts of the security implementation can be integrated with productivity, essentially “piggybacking” security on other organisational needs (e.g. the use of personal network allocated storage for employees that provides automatic backups as well – see security hygiene example below).
Another important lesson for shadow security management emerging from the results in chapters 4, 5 and 6 is that improvements required to eliminate shadow security cannot be limited to security mechanisms.
In a number of shadow security practices, security-productivity friction that created those did not emerge from problems in the security mechanisms, but to reliability issues of organisational IT provisions (e.g.
lack of easy to use collaboration platforms within the organisation leading to use of third party ones). In order to eliminate such problems, security management needs to identify situations where functional requirements are missing and consider the impact of those non-security-related mechanisms on employee security behaviour. As the results have shown, effective security protection requires IT in its entirety to be free from problems; any element of the organisational environment that can affect security behaviours needs to be designed around employee priorities, also ensuring its proper function. Failure to achieve this can create a negative attitude towards organisational systems in their entirety, further encouraging trust-driven security violations and shadow security development.
7.2.2 Interventions need careful planning
Attempts to disrupt current employee practices require careful pre-deployment suitability assessments.
Current security intervention attempts fail to assess the impact of attempted improvements on employees, with security management not tracking the effort that they have to expend in order to comply with existing or proposed security mechanisms and policies (Albrechtsen and Hovden, 2009). In addition, changes and attempted security implementation improvements are currently delivered reactively and impulsively. When a security mechanism is causing friction, with employees often voicing their concerns, it may be removed or disabled, but the risks it aimed to address can remain unmitigated until another solution is found. The new solutions are also deployed without proper design, testing and deployment, essentially only managing to modify the type of security-productivity friction employees have to incur (section 5.4.3.2). As discussed in section 7.1, shadow security indicates an employee-devised balance point to manage this friction. Any attempts to alter that balance need to be well planned, otherwise they risk draining employee capacity for secure behaviour. Effective protection can only be achieved with user-centred policy and mechanism design, taking into account the subsequent impact on an organisation’s existing production tasks. To achieve this, security management needs to move towards
Security hygiene example: Employees in Company B stored significant amounts of information locally on laptops due to problems in network storage capacity and connectivity issues. They also recognised the importance of that information and the need for backups. The lack of easy access to organisational drives (that are automatically backed up) led to employees having to devise own backup approaches: they used their own drives, either at team level or individually (both encrypted and unencrypted, with practices differing significantly across different groups).
Secure behaviour (storing data on automatically backed-up network drives) can only exist if:
a. Adequate network capacity is put in place
b. Communication of the benefits it provides, also emphasising its productivity benefit (backup) c. Employees are provided with uninterrupted access to their personal network drives
d. Any reported connectivity problems are quickly addressed
a participative security design approach that works with users to understand where and how security can align with the productive activity to protect valuable organisation assets.
An example of the need for pre-deployment assessment of security improvements was identified in organisational attempts to provide password management solutions to employees. The large number of systems to which employees had to authenticate themselves in both the organisations studied, led to writing down their account passwords being the only way to guarantee uninterrupted access to password-protected systems. This managed to reduce the increased cognitive load problem created by multiple password management. Company B’s security management attempts to address this by providing employees with password managers failed when those tools were incompatible with some of the systems/websites employees had to authenticate to. Employees were left with a security mechanism not working as intended, turning the cognitive load problem to a disruption one, with the burden of resolving the conflict between security and productivity being once again cast on themselves. Employees then resorted to shadow security behaviours to solve the “too many passwords” problem (section 5.4.2). As the above example suggests, if attempted security improvements are not well-designed to eliminate usability problems, and no continuous evaluation of their effectiveness and “goodness-of-fit” with the primary task exists, they run the risk of just changing the nature of the security-productivity friction instead of removing it.
7.2.3 Importance of communication and training
The findings also call for a change in current security communication and training approaches. Lack of accurate knowledge on role-related risks, and lack of role-specific communication based on employee tasks, led to employees dismissing the usefulness of security communication and training. This acted as another driver for shadow security development, with security communication done through line managers and colleagues. To avoid this, formulation of communication content should aim to accurately represent everyday employee tasks. User-centred security approaches like requirements gathering and understanding should be used, to ensure the communicated information is fit for purpose and in-line with the challenges employees face, also formalising current line managers’ role in delivering more context-specific communication. The emerging training and communication should be role-context-specific, with regular refreshing, ensuring employees understand role-related security risks, taking advantage of their identified propensity to behave securely.
7.2.4 Align security effort with risk appetite
Security management should also aim to align user resources required to bring security in line with organisational risk appetite; currently no formalisation exists on how much of employees’ time and effort should be spent on security. Given that organisational risk management should be based on identification, assessment, and prioritisation of risks (ISO 31000 on risk management), the presence of shadow security suggests a potential mismatch between organisational risk appetite and current allocation of available employee resources towards delivering effective organisational protection. Current organisational attempts to exhaustively eliminate all potential risks, lead to the implementation of a significant number of risk-mitigating mechanisms or policies (often required to meet the demands of relevant regulation or international standards). But, when some of those lead to security-productivity
friction, security management adopts a post-deployment “ignorance is bliss” approach: they know some risks are left unmitigated, but are often left with inadequate resources to address those. Openly admitting to this approach is often impossible due to regulatory requirements or pressure by the organisation’s top management to deliver the required protection without requesting additional resources, thus security management often chooses to ignore (and not report) the presence of some of the unmitigated risks. In addition, the mere presence of too many security mechanisms or policies, even well-designed, context-specific ones, can exhaust employee compliance budget, eventually leading to shadow security in the form of self-selection of mechanisms and policies to comply with. This leaves little or no resources to mitigate more severe organisational risks that employees may perceive as less important. It also prevents the organisation from accurately assessing the amount of employee resources currently invested towards implementing and sustaining the current security state: unless employee time and effort are invested in a centrally managed way, the organisation runs the risk of employee resources being allocated towards potentially insignificant security risks. It is also important to understand that in risk management it is acceptable to do nothing about some risks if available resources can deliver higher risk mitigation in other areas. In general, organisational security risk management needs to direct employee time and effort towards addressing most important risks first, minimising shadow-security-driven resource allocation by employees, thus ensuring available resources are invested towards maximal risk mitigation (a process of how to deploy a shadow security-driven risk management process is presented later in section 7.5).